web-based attacks : offense
DESCRIPTION
Web-Based Attacks : Offense. Wild Wild West Bob, Jeff, and Junia. Agenda. Weaknesses of the paper Attacks not mentioned Future Trends. Weaknesses of the paper. Web-based Attacks: White Paper or Infomercial…?. Shameless plugs peppered throughout - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/1.jpg)
Web-Based Attacks: OffenseWild Wild WestBob, Jeff, and Junia
![Page 2: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/2.jpg)
Agenda
Weaknesses of the paper
Attacks not mentioned
Future Trends
![Page 3: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/3.jpg)
Weaknesses of the paper
![Page 4: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/4.jpg)
Web-based Attacks: White Paper or Infomercial…?
Shameless plugs peppered throughout
No mention of non-Symantec solutions, like desktop virtualization
Well yes, but every body does it.
How else would they get funded…
![Page 5: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/5.jpg)
Vulnerability of web-based applications
A topic for nerds, written by nerds…
Technical aptitude is needed to even understand the challenge/threat
This is likely one of the problems with getting people to pay attention to security
![Page 6: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/6.jpg)
Compare with articles about ‘The Cloud’
• Articles about ‘The Cloud’ get noticed by execs because it speaks to them
• You can find them in In-flight magazines
• Their message: A credit card, a few mouse clicks, and voila! Provisioned IT resources
![Page 7: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/7.jpg)
Attacks not mentioned
![Page 8: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/8.jpg)
New ways of getting you to a malicious site
Blogs
Social Networkingurl shortnersTwitter and Facebook viruses exist
![Page 9: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/9.jpg)
Google, How We Get To Most Sites:
We trust Google!
Search Engine Optimization(SEO) poisoning aims to boost malicious websites to the top of the list.
![Page 10: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/10.jpg)
An Example of SEO Poisoning1) Find a legitimate website (http://jeffkimballwater.com)
![Page 11: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/11.jpg)
An Example of SEO Poisoning2) Compromise the website. Easy!
3) Submit a special url to a search engine “http://jeffkimballwater.com?r=discover-
card”
![Page 12: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/12.jpg)
http://jeffkimballwater.com?r=discover-financial-serviceshttp://jeffkimballwater.com?r=discover-credit-cardshttp://jeffkimballwater.com?r=discover-card-factshttp://jeffkimballwater.com?r=apply-for-a-credit-card
??? http://jeffkimballwater.com?r=discover-financial-services??? http://jeffkimballwater.com?r=discover-credit-cards??? http://jeffkimballwater.com?r=discover-card-facts??? http://jeffkimballwater.com?r=apply-for-a-credit-card
An Example of SEO Poisoning4) When the search engine indexes this url a script is called.
Change the page to add a bunch of hidden, relevant links.Get the keywords for these links from another search engine
??? http://jeffkimballwater.com?r=discover-card
“discover card”
Discover Financial ServicesDiscover Credit CardsDiscover Card FactsApply for a credit card
![Page 13: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/13.jpg)
An Example of SEO Poisoning
5) Highly ranked “Discover Card Application” delivers malicious payload to people from Google.
6) Site looks normal to everyone else.
![Page 14: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/14.jpg)
Attacking a website using Cross Site Forgery
Cross-Site Reference ForgeryXSRFCSRFSea Surfing Session RidingHostile LinkingOne-Click attacksA confused deputy attack on a website, where the website already trusts a user.
![Page 15: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/15.jpg)
An Example of Cross Site Forgery
Bob Frazer logs into Bankbank.com
Bob then logs into FerrariOwnersClub.com
Mal posts a bad link as his signature picture, which Bob loads. <img src=http://bankbank.com/withdraw?account=bob&amount=1000&for=mallory>
Bob, who is still logged into Bankbank, executes the request.
![Page 16: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/16.jpg)
Attacking You Through Your Phone
Not web based yet, but attackers are interested.
Trojan-SMS.AndroidOS.FakePlayer.a
Sends texts without user’s knowledge to premium rate numbers.
Android SpywareTip Calculator
![Page 17: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/17.jpg)
Attacking You Through Your Phone
Symbian OSSkulls
Worm:iOS/IkeeProof of concept spreads through WiFi or 3G, sends financial information to server.
![Page 18: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/18.jpg)
Future Trends
![Page 19: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/19.jpg)
Future Trends - UsersIncreasingly young base users• More online Edu-taiment/games
More familiar and comfortable with the web worldLess knowledgeable in security risk
![Page 20: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/20.jpg)
Future Trends - AttacksIncrease internet usersMove IPv4 to IPv6More attacks on the Web ServersMore sophisticated hackers
![Page 21: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/21.jpg)
Future Trends - Companies Focus more on Web Security Getting better in locking down the web
![Page 22: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/22.jpg)
Future Trends - Cloud Computing
Increase in IT budgetsMore Web-Applications hosted in the CloudLower cost comes higher security riskMore complex Security
![Page 23: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/23.jpg)
Future Trends - Browsers will be more responsible
Google Chrome
FireFox
![Page 24: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/24.jpg)
Future Trends – SpamsMore legits
![Page 25: Web-Based Attacks : Offense](https://reader035.vdocument.in/reader035/viewer/2022062521/56816979550346895de17369/html5/thumbnails/25.jpg)